Is the iPhone Vulnerable to SMS Spoofing and Hacks? Yes, but Don't Blame your Wireless Carrier

By

On August 17 last week, a researcher on the pod2g blog posted a missive claim that the blog writer had discovered a vulnerability within the iPhone's SMS software that, if properly exploited, would allow a phisher or other hacker to be able to gain the trust of a mobile user, by allowing one to spoof who the sender of a text message might be, potentially leading up to further and potentially harmful mischief.

Following the disclosure, various wireless carriers found themselves being blamed for the security hole.

It turns out, however, that no matter how much you may want to blame your carrier for your iPhone's security vulnerability, the truth is there’s only Apple to blame.

The vulnerability itself is both technical in nature, but also exceptionally easy to understand. The SMS protocol provides for an optional "Reply-Address" field, which a knowledgeable person could use to indicate a message was coming from someplace other than where it originated. That is, it could show a message as coming from a "trusted" source (e.g. a phone number or name) although the message was coming from a malicious source.

Why provide such a capability in the first place?

“Historically, the ‘reply-address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” said Cathal McDaid, Security Consultant at AdaptiveMobile.

When not used in this manner, the SMS protocol is very explicit about how the “feature” needs to be treated. The issue that pod2g identified is that an iPhone will display the reply-address as the sending address within the iPhone SMS client, and does not show the real “originating-address.”

“We know conclusively that this is not a wireless carrier network problem because the 3GPP specification – which outlines how modern mobile phones and networks operate today – discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this,” continued McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply-address’ field or display both the ‘real’ originating address and the reply address - which is what the specification recommendations."

"The use of the Reply-Address is exceptionally rare in mobile networks now," McDaid added. "It is not used due to the fact that it's not supported by many devices and the original scenario that it was addressing never really materialized – it is one of the many extended SMS function fields that didn't get much traction. The simple answer to the problem then is to simply ignore the reply-address field altogether."

And this is exactly what almost all other device manufacturers do. The iPhone, almost as if by magic, is the only smart mobile device that doesn't ignore it, and that simultaneously uses SMS software that does not comply with the SMS protocol security recommendations. Apple is well aware of the issue and the security weakness, but for reasons only Apple is aware of, the company has not provided any stated intention of fixing the rather simple to fix problem.

Apple has suggested using its iMessage service instead to circumvent the problem. That is an interesting approach for Apple to take, but even with Apple extremists there will be times when an iPhone user may want to communicate with someone other than another iPhone user – it's been known to happen.

Of course, Apple will play the contrarian any time it can, but even so, we can't quite figure out why it is the lone agent here supporting a defunct SMS feature that presents a security hole if improperly handled (and Apple handles it improperly).

For those of you waiting to upgrade to iOS6, it won't fix the problem. The beta 4 version of iOS 6 that will likely become the shipping version in a few weeks still has the problem. There is no Apple magic on this particular issue.




Edited by Braden Becker
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

TechZone360 Senior Editor

SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More